• GenderNeutralBro@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    8
    ·
    6 months ago

    They could avoid storing the recovery email in plaintext. A hash would be sufficient if they require the user to enter their recovery email for confirmation when they really need to recover the account.

    For an ostensibly privacy-oriented service, Proton makes some weird architectural choices.

      • GenderNeutralBro@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        6 months ago

        they need plaintext because they send you a recovery code or a support ticket

        Sure, but we’re talking about architectural choices. It is Proton’s choice to use that system; it is not required for the goal of account recovery.